Process and device for dealing with errors in electronic control devices

ABSTRACT

The invention proposes a process for error recovery in electronic control devices as well as apparatus for controlling the steering angle of the rear wheels of a motor vehicle. The control device controls an actuating member to which is connected a safety device. In the main operation of the control device, transmitter signals are detected, actuating values are calculated and the actuating member is controlled corresponding to the calculated values. The calculated actuating values and the detected transmitter signals are checked for consistency. On the basis of the checked values, a decision is made as to whether to continue running the main program or resort to one of two emergency measures. In the first emergency measure, the safety device is activated and the control of the actuating member is switched off. In the second emergency measure, the signals of transmitters continue to be detected and actuating values are calculated from these signals. Before adjusting the actuating member, the calculated actuating values are multiplied by a factor decreasing over time to achieve a gradual damping of the actuating amplitude of the actuating member.

PRIOR ART

The invention proceeds from a process and an apparatus for error controlor error recovery in electronic control devices according to the genericpart of the main claim. A process and an apparatus for error recovery inan electronic control device is already known from DE 38 25 280 A1. Thecontrol device is provided, e.g., for controlling rear axle steering ina motor vehicle. Two emergency running measures are provided in theevent of an error. For a relatively grave error, one emergency runningmeasure consists in that the rear wheels are maintained in the lastadjusted position, i.e. that position adjusted immediately prior to theoccurrence of the error. The emergency running measure for a relativelyminor error consists in returning the deflected rear wheels to theneutral or zero position in a purposeful manner and at final speed.

ADVANTAGES OF THE INVENTION

The process, according to the invention, with the characterizingfeatures of the main claim has the advantage over the prior art that inthe event of a relatively minor error an emergency program is started inwhich regulating variables or actuating values continue to be calculatedfor the actuating member as in the main program. These actuating valuesare multiplied by a factor which decreases over time from the moment theemergency program begins to run, resulting in a gradual fading ordamping of the actuating amplitude of the actuating member. A smoothtransition is effected from a deflected state of the actuating member tothe neutral position of the actuating member. In this way, when arelatively minor error occurs, the control of the actuating member canbe cut off gently without a drastic change in the control response. Asconcerns the control of rear wheel steering of a motor vehicle inparticular, the gentle disengagement of rear wheel steering in anemergency situation is safer, since the driving behavior of the vehicledoes not change abruptly.

Advantageous further developments and improvements of the processindicated in the main claim are made possible by the steps contained inthe subclaims. To check for consistency of the detected transmittersignals, it is particularly advantageous to check the detectedtransmitter signals against predetermined values to determine whether ornot a permissible signal range has been exceeded and/or to compare thedetected transmitter signals with the detected transmitter signals ofthe redundant transmitter which is provided in addition. Accordingly, inmany cases the defective transmitter can be definitely identified andthe appropriate emergency measure can then be instituted.

Further, it is advantageous for checking the consistency of the detectedtransmitter signals to compare the rate of change of the detectedtransmitter signals with predetermined values as a function ofpredetermined quantities. This step enables early detection of an errorso that the appropriate emergency measure can be implemented morepromptly.

For checking the consistency of the detected transmitter signals, it isalso advantageous to compare the detected transmitter signals withvalues derived from detected transmitter signals of transmitterssupplying equivalent information. This enables more reliable detectionof an error for a transmitter for which there is no redundanttransmitter.

Further, it is advantageous for consistency checks to compare the numberof detected errors with predetermined values and to include differenterrors in the same count when these errors are attributed to anidentical source and to run one of the emergency programs only when thenumber of detected errors has reached a predetermined value. Running anemergency program only after repeated errors are detected preventssuperfluous running of an emergency program due to a temporarydisturbance, e.g. EMC disturbance. By counting together different errorsattributed to the same cause, the emergency measure can be carried outfaster than when errors are evaluated as different, independent errors.

The activation of the safety device in the second emergency program andthe interruption of the control of the actuator after a given time islikewise advantageous, since a state of safety is achieved for thecontrol system and the microcomputer can then carry out further testsand diagnostic programs, for example. After the control device has beenrecognized as being once more free of errors, it is possible to gentlyswitch on the rear wheel steering again. This may be done by graduallyincreasing the calculated steering amplitudes to those of the mainprogram.

For the apparatus controlling the steering angle of the rear wheels of amotor vehicle, it is also advantageous to provide an emergency programin which the actuating values are calculated as in the main program.These actuating values are also multiplied by a factor which decreasesover time resulting in a gradual damping of the actuating amplitude ofthe actuating member.

Further, it is advantageous that the first emergency program, in whichthe control of the actuating member is shut off immediately, is alwaysrun when the consistency check determines that none of the transmitterssupplying values for the actual position of the actuating member areoperating correctly and/or the values calculated by the microcomputersdeviate beyond a predetermined threshold. In this event, it isadvantageous to shut off the control immediately because the actuatorposition is absolutely necessary for a controlled adjustment of theactuating member.

If it is detected in the consistency check that none of the transmittersfor the steering angle are operating correctly, it is advantageous torun the third emergency program. In this case, the control system stillmaintains control over the actual position value so that the adjustmentof the actuating member can still be returned to the neutral position toachieve a more favorable driving behavior.

It is also advantageous to use two microcomputers with differentsemiconductor structures and/or other differences for the apparatus forcontrolling the rear wheel steering. This reduces the likelihood of anundetected error occurring simultaneously in both microcomputers.

It is likewise advantageous to install different programs in the twomicrocomputers to prevent the simultaneous occurrence of an undetectederror in both microcomputers.

DRAWING

Two embodiment examples of the invention are shown in the drawing anddescribed in more detail in the following description.

FIG. 1 shows a schematic view of a control device for controlling rearwheel steering;

FIG. 2 shows a first embodiment example of a simple program structurefor a main program to be run in the first microcomputer;

FIG. 3 shows the program structure of a main program to be run in thesecond microcomputer;

FIG. 4 shows the program structure of a first emergency program forrunning in the first microcomputer;

FIG. 5 shows the program structure of a first emergency program forrunning in the second microcomputer;

FIG. 6 shows the program structure of a second emergency program forrunning in the first microcomputer;

FIG. 7 shows a program structure of a second emergency program forrunning in the second microcomputer;

FIG. 8 shows a program structure of a third emergency program forrunning in both microcomputers by which the control of the rear axleactuator is switched off;

FIG. 9 shows a second embodiment example for a structure chart of a mainprogram for running in the first microcomputer;

FIG. 10 shows a second embodiment example for a structure chart of amain program for running in the second microcomputer;

FIG. 11 shows the signal curves of two transmitters for the actualposition value of an actuating member at the first occurrence of anerror;

FIG. 12 shows the signal curves of two transmitters for the actualposition value of an actuating member at the second occurrence of anerror;

FIG. 13 shows the signal curves of two transmitters for the actualposition value of an actuating member at the third occurrence of anerror;

FIGS. 14 and 15 show the signal curves of two transmitters for theactual position value of an actuating member at tile fourth occurrenceof an error.

DESCRIPTION OF THE INVENTION

FIG. 1 shows an embodiment form of a control device 25 for controllingrear wheel steering. This figure shows a microcomputer 5 containing suchimportant elements of a microcomputer as the RAM and ROM of a centralmicroprocessor, input/output modules, and an interface 10. The ROMcontains a main program and the emergency programs. A bus connection 11leads from interface 10 to the interface 12 of a second microcomputer17. Instead of connecting the two microcomputers via interfaces 10, 12,certain ports of the microcomputers 5, 17, serial interfaces or adual-port RAM can also be used to connect the two microcomputers 5, 17.The latter also includes, among others, a RAM and a ROM, a centralmicroprocessor, and input/output modules. Another main program and otheremergency programs are stored in its ROM. The two microcomputers 5, 17can exchange data via tile bus connection 11. Instead of providingindividual RAM modules in both microcomputers 5, 17, it is also possibleto use a dual-port RAM module which is accessed by both microcomputers5, 17. The signals of a steering angle sensor 1 are supplied tomicrocomputer 5 after filtering by a filter 2, limiting by a limiter 3and A/D conversion by an A/D converter 4. The signal of a wheel speedsensor 26 is also fed to the microcomputer 5 via different signalprocessing stages such as a filter 27 and limiter 28. The signal of adisplacement pickup 13 for the position of a rear axle actuator 8 issupplied to microprocessor 17 after being processed by a filter 17,limiter 15, and A/D converter 16.

Additional transmitters with the respective signal chains can besupplied to the microcomputers 5, 17. Sensors suitable for rear wheelsteering are, for example, acceleration sensors, additional wheelrevolution sensors, speed sensors, temperature and pressure sensors forthe hydraulic system, and sensors for precision adjustment of thesteering angle. In addition, some of the safety-related sensors, e.g.the steering angle sensor 1 and displacement pickup 13 for the positionof the rear axle actuating member 8, and the speed sensor 26, can beduplicated. If the individual control devices of the motor vehicle arelinked by a bus system, e.g. CAN bus, it is also possible for the sensorsignals supplied to these control devices to be transmitted to thecontrol device 25 via a CAN bus.

Two actuators 7 and 31 constructed as proportional valves are providedfor adjustment of the rear axle actuator 8. The calculated actuatingvalues are supplied to these actuators 7 and 31 via output modules inmicrocomputer 5 after amplification in the output stages 6, 30. Aretaining brake 9 which can be activated by microcomputer 5 via a firstconnection line 19 and by microcomputer 17 via a second connection line24 is provided for locking the rear axle actuator 8. For safetypurposes, shut-off valves and test valves can also be arranged in thehydraulic system. These valves are connected with microcomputers 5, 17and activate the retaining brake 9 by shutting off the system pressure.An error light 21 is connected to microcomputer 5 via connection line 20and to microcomputer 17 via connection line 23. Two controllable relays18, 32 are connected with the microcomputer 5, 17 via connection lines22 and 29. The output stages 6, 32 can accordingly be cut off from thepower supply.

The operation of the arrangement shown in FIG. 1 for controlling rearwheel steering is explained in the following with reference to FIGS. 2to 8. The example for rear wheel steering relates to the four-wheelsteering in a passenger automobile. The front wheels are adjusted by amechanical arrangement as in conventional two-wheel steering. Theadjustment of the rear axle must then be adapted to the steering angleof the steering wheel depending on the speed of the vehicle and thedriving situation. For example, a parallel adjustment of the front andrear wheels is advisable when parking, whereas it is advisable to turnthe front wheels and rear wheels in different steering angle directionsto achieve smaller turning circles. When traveling at high speeds and inreverse, the rear axle must also be adjusted differently depending onthe deflections of the steering angle. Therefore, different calculatingprinciples should be used for controlling the rear wheel steeringdepending on the driving situation.

The flow chart shown in FIG. 2 illustrates the operating sequence of themain program in microcomputer 5. After the power-on reset 40,microcomputer 5 starts its main program. Initialization is effected inthe first program step 41.

This step also contains tests for determined functional parts containedin microcomputer 5 or connected therewith, e.g. ROM, RAM, EEPROM,watchdog, and the connected valves, actuating members and retainingbrake. Then, in program steps 42 and 43, the steering angle LW is readin by the steering angle transmitter 1 and the wheel speed value U_(RAD)is read in by the connected wheel speed sensor 26. In program step 44,microcomputer 5 reads the actual position value LG_(IST) of the rearaxle actuator 8 from the displacement pickup 13. For this purpose, datamust be exchanged between the two microcomputers 5, 17. If microcomputer17 has not yet determined this value at that time, microcomputer 5 mustfirst undergo several wait cycles and then repeat its request for theactual position value from microcomputer 17. In this way, asynchronization of the two microcomputers 5, 17 is achieved. The inputtransmitter values are checked in the subsequent interrogations.

When the computer detects an error in one of the transmitter values, thecause of the error source is not yet known. Various causes may have ledto the error. On the one hand, the error may lie within the transmitteritself. On the other hand, it is possible that the error occurred in thesignal chain from the transmitter to one of the microcomputers. Errorsof this type also include EMC disturbance. A third possibility is thatthe error lies in one of the two microcomputers 5, 17. In the lattercase, dependable operation of the four-wheel steering can no longer beensured and the control of the rear axle must be interruptedmomentarily. If the error lies in the transmitter and/or in the signalchain from the transmitter to one of the microcomputers 5, 17, anequivalent or substitute control and/or substitute functions in whichthis transmitter value is no longer used for calculating the actuatingvalues can be carried out depending on the transmitter in question. Todistinguish between these two sources of error after the error isdetected, e.g. during the checking of a transmitter value, themicrocomputer detecting the error branches into an emergency program B,C and the microcomputers 5, 17 are checked in this emergency program B,C by means of a data exchange. The check by data exchange primarilyconsists of a comparison of the actuating values and/or determinedintermediate results calculated by the two microcomputers 5, 17.However, there are other possibilities for checking by data exchange.For example, certain register contents of the two microcomputers 5, 17can also be exchanged and compared. Since an error in the microcomputercan be distinguished from other causes of error in this way, either theappropriate emergency program B, C can continue to run or the control ofthe rear axle can be interrupted. As switching off the control of therear axle significantly alters the driving performance, a different"safer" emergency program B, C should be run as often as possible. Thisis made possible by the process described herein. In addition, errorscaused by a defective microcomputer are not as common in practice asother error sources, so that it is not necessary to switch off thecontrol of the rear axle every time an error is detected.

The actual position value is the first value to be compared with thepredetermined threshold range in interrogation 45. If the actualposition value does not lie within the predetermined reference valuerange, the main program branches to emergency program A in microcomputer5. When an error is detected during the checking of the actual positionvalue, safe driving operation with continued rear wheel steering can nolonger be ensured and the rear wheel steering is immediately switchedoff in emergency program A. This is explained later in the descriptionof FIG. 8.

In interrogation 46, the input steering angle value is likewise checkedagainst the predetermined threshold range. If this interrogation 46establishes that the range has been exceeded, the program jumps toanother emergency program B. Since an error has been determined in thesteering angle value, the system still has control over the actualposition value of the rear axle actuator 8 if the error lies in thesteering angle transmitter 1 and/or in the signal chain from thesteering angle transmitter 1 to microcomputer 5. Accordingly, the rearaxle actuator can still be shifted to the center position in acontrolled manner in emergency program B. The driving performance of themotor vehicle will not change so abruptly as a result. Emergency programB is explained in more detail in the description of FIG. 6.

Interrogation 48 checks whether or not the input wheel revolution speedvalue lies in its predetermined reference value range. If not, theprogram branches to another emergency program C. If the error has itssource in the wheel speed transmitter 26 and/or in the signal chain fromthe wheel speed transmitter 26 to microcomputer 17, control over theactual position value of the rear axle actuator 8 and over the steeringangle deflection of the steering wheel is maintained. Therefore,actuating values for the rear axle actuator 8 can still be calculatedfrom the read in steering angle values and supplied to the actuatingmember 7, 31 in emergency program C for a short time (in which thedriving situation cannot change drastically). As a precaution, thechecking of the actuating values for adjusting the rear axle actuator 8is allowed to continue in this emergency program and to graduallysubside over a determined period of time until the rear axle actuator 8reaches the center position. Thus, the driving behavior of the motorvehicle changes less drastically than in emergency programs A and B.

There are other possible ways to check for error detection. For example,the gradients of the transmitter values can be subjected to a check,also in comparison with the gradients of the other transmitter values.If there are redundant transmitters, these may also be utilized in thecheck. Further, the information of certain transmitters can be comparedwith the information of other transmitters which detect quantitiesdepending on the information of the first transmitters. For example, thetransmitters for the wheel speed and the signal of a speedometer shaftboth provide information on the speed of the motor vehicle. Anotherpossibility for reliable detection of an error is to check the frequencyof the errors determined in the comparisons and checks and to branch toemergency running as soon as determined frequency limits are exceeded.When checking to determine that the center position has been reached, itis advisable to let the rear axle actuator first pass over the centerposition several times without fixing it in the center position. Whenthe rear axle actuator has practically ceased to swing around the centerposition, it can be fixed in this position. In this way it is possibleto prevent an abrupt change in driving characteristics even on stretchesof road with many curves. If no errors are detected in interrogations 45to 48, the actuating values for adjusting the two actuating members 7and 31 are calculated in step 49. The calculation is based on the inputtransmitter values. The computing functions vary depending on thedriving situation. The calculated actuating values are compared with thecalculated actuating values of microcomputer 17 in interrogation 50.Another data exchange between the two microcomputers 5, 17 is requiredfor this purpose. In this case, the two microcomputers 5, 17 aresynchronized as in program step 44. If the calculated values of the twomicrocomputers 5, 17 are different, an error is assumed in one of themicrocomputers 5, 17 and emergency program A is run. Otherwise, thevalues calculated in the two microcomputers 5, 17 are averaged andsupplied to the actuating members 7, 31. In the control device describedhere, the actuating values are only output through microcomputer 5. Thisconstruction is a result of the demand within the safety concept thatthe control apparatus only supply actuating values to the actuators whenboth computers 5, 17 are running properly. Accordingly, output need onlybe effected by one of the two microcomputers 5, 17. This takes place inprogram step 51. Once the program has run properly, program steps 42 to51 are repeated in the same manner until the control device 25 is cutoff from the voltage supply by switching off the ignition.

The flow chart shown in FIG. 3 will clarify the operating sequence ofthe main program in microcomputer 17. It is essentially identical to thestructure chart in FIG. 2. The first program step after power-on/reset40 is also program step 41 as in FIG. 2. Of course, the tests designatedtherein are now directed to the functional parts connected tomicrocomputer 17. However, the active testing of the two actuatingmembers 7, 31 is omitted here, since the actuating members are onlyconnected to microcomputer 5. The actual position value is then read inby the displacement pickup 13. This is effected in program step 44. Thevalues for the steering angle and the wheel speed have been taken overby microcomputer 5 in program steps 42 and 43. The data exchangerequired for this purpose corresponds to that in program step 44 in FIG.2. The read in values are checked in exactly the same manner as in thestructure chart in FIG. 2 by interrogations 45 to 48. However, it shouldbe noted that emergency programs B and C are contained in microcomputer17. Emergency program A is identical to emergency program A in FIG. 2,but is also contained in microcomputer 17. After the interrogations, theactuating values are also calculated as in program step 49 in FIG. 2. Inthis case, the actuating values determined by the two microcomputers 5,17 are also checked after the data exchange of the calculation resultsas in program step 50 in FIG. 2. In this case, also, if the calculationresults do not correspond, emergency program A is run. In the event ofcorrect operation, program steps 42 to 50 are repeated. Again, this iseffected until the control device is cut off from the power supply.

The flow chart in FIG. 4 serves to illustrate emergency program C inmicrocomputer 5. In the first program step 57, the error light 21 isturned on. In the following program step 58, a variable is set to thevalue of 1. In the next program step 59, microcomputer 5 sends a specialdata word to microcomputer 17. This data word informs microcomputer 17that microcomputer 5 as detected an error and has run emergency programC. Microcomputer 17 then sends its check word or control word back tomicrocomputer 5. The control word is received by microcomputer 5 inprogram step 60. In interrogation 61, the control word sent tomicrocomputer 17 is compared with the control word received bymicrocomputer 17. If the control words do not match, microcomputer 5interprets this to mean that an error exists in one of themicrocomputers 5, 17 and carries out the emergency cut-off by runningemergency program A. This check determines whether or not both computersare running the same emergency program. In program step 62, the regularcalculation of the actuating values for the actuators is carried out.This takes place according to the same computing steps as those in themain program in microcomputer 5, but without using the information fromthe wheel speed transmitter in which an error has been detected. Thiscalculation is based on the read in transmitter values for the steeringangle and actual position value. The results of the calculation aremultiplied in program step 63 by a time-dependent factor. This factorwas set to 1 in program step 58. A new calculation is carried out inprogram step 62 depending on the intervening period of time. A gradualdamping of the steering amplitudes at the rear axle is achieved bymultiplying the calculated actuating values by a factor changing from 1to 0 over time. The operator of the motor vehicle can accustom himselfto the changed driving behavior of his vehicle by means of thissubstitute control. In program step 64, the actuating values which werecalculated in the same way in the other microcomputer 17 are transmittedto microcomputer 5 by exchanging data via the bus connection 11. In thefollowing interrogation 50, the computation results of the two computers5, 17 are compared. If the results do not match, an error must exist inone of the microcomputers 5, 17, whereupon an emergency cutoff isinitiated by running emergency program A. If both computers supply thesame results, the error must lie in the wheel revolution sensor 26and/or in the signal chain from the wheel revolution sensor 26 tomicrocomputer 5 and emergency program C can continue to run. Theactuating values determined by the two computers 5, 17 are then averagedin program step 51 and supplied to the actuating members 7, 31. Inprogram step 42, the steering angle is read in as in the main program.In program step 44, the actual position value is taken over bymicrocomputer 17 as in the main program. After this, the ranges of theactual position value and steering angle value are checked as in themain program (interrogations 45 and 46). In program step 65, the actualposition value is additionally checked to determine whether or not thecenter position of the rear axle actuator 8 has been reached. If thiscenter position has been reached, the control of the actuating member isswitched off by running the emergency program A. When checking on thecenter position it is advisable to allow the rear axle actuator to passover the center position several times without fixing it in the centerposition. The rear axle actuator can be fixed in the center positiononce it has virtually ceased to swing over this center position.Accordingly, there is no abrupt change in the driving characteristicseven on stretches of road with many curves. This concludes emergencyprogram C and the vehicle is steered only by front-wheel steering fromthis point. Four-wheel steering can be activated again only afterignition on/off and test.

If the center position has not yet been achieved, program steps 59 to 65are repeated until the center position is reached. When the ignition isswitched off, the data words characterizing the errors may be storedtogether with the relevant operating data in a storage area so that theyare available for subsequent diagnosis by diagnostic equipment in aworkshop.

FIG. 5 shows the flow chart for emergency program C in microcomputer 17.Program steps 57 and 58 are identical to program steps 57 and 58 in FIG.4. In program step 66, microcomputer 17 sends its control word tomicrocomputer 5. In program step 67, microcomputer 17 reads the controlword of microcomputer 5. Interrogation 61 checks for a match between thetwo control words as in program step 61 in FIG. 4. The actuating valuesare calculated in program steps 62 and 63 as in programs steps 62 and 63in FIG. 4. In program step 68, microcomputer 17 reads the actuatingvalues calculated by microcomputer 5 in the same manner as in programstep 64 in FIG. 4. The following program steps correspond to those ofthe structure chart of FIG. 4, apart from the omission of program step51 for the output of the actuating values. Moreover, the correspondingemergency programs are called up in microcomputer 17 instead of inmicrocomputer 5.

Emergency program B of microcomputer 5 is described in the followingwith reference to the structure chart in FIG. 6. Emergency program B isanother emergency running program which enables a gentle switching offof the rear wheel steering when an error has been detected. The errorlight is switched on in program step 57. In program steps 59 and 60, thecontrol words for this emergency program are exchanged as in thecorresponding program steps in emergency program C in FIG. 4 and arecompared with one another in program step 61. The essential differenceover emergency program C consists in that the actuating values arecalculated without the information of the transmitter signals. In thiscase, the rear axle actuator 8 is adjusted in the direction of tilecenter position, e.g. at a speed of 0.5 meters/sec. The calculationsrequired for this are carried out in program step 70. In program step64, the actuating values calculated by microcomputer 17 are read in andcompared with one another in program step 50 as in emergency program Cin FIG. 4. The output of the actuating values is then carried out inprogram step 51 and the actual position value is read in bymicrocomputer 17 in program step 44 and checked in interrogation 45.Interrogation 65 serves to detect the center position of the rear axleactuator 8. If the center position has not yet been reached, programsteps 59 to 65 are repeated. When the center position is reached, thecontrol is switched off by running emergency program A. As in emergencyprogram C, the four-wheel steering can be reactivated only after theignition on/off and after the tests have been run.

The structure chart for emergency program B in microcomputer 17 is runthrough in a corresponding manner. It is shown in FIG. 7. It differsfrom emergency program B in FIG. 6 in that there is no output ofactuating values, in that the control word is sent to microcomputer 5 inprogram step 66 and the control word is read by microcomputer 5 inprogram step 67, and in that the calculated values of microcomputer 5are read in program step 68.

After running emergency program B or C, further developments of theprocess other than switching off the rear wheel steering control arealso possible. For example, after running an emergency program, the rearwheel steering control can be switched back on again when the speedfalls below a certain threshold. This may be effected, for example,similarly to emergency program C, i.e. in that the steering amplitudesare gradually increased over a certain period of time until the steeringamplitudes are calculated again as in the main program. Naturally,additional error checks must take place in this phase, which would causea shutdown again if an error were detected.

FIG. 8 shows the structure chart for emergency program A. This structurechart applies to both computers. Program steps 71, 72 and 73 are runthrough in this emergency program. Program step 71 switches on the errorlight 21. In program step 72, the retaining brake 9 is activated by therespective microcomputer 5, 17. The output stages 6, 30 are then shutoff by the controllable relays 18, 32 in program step 73. The outputstages can then be switched on by the main program after ignition off/onand after successfully passing the safety tests.

A second embodiment example for a main program for running inmicrocomputers 5, 17 is described in the following. The construction ofthe control device for the second embodiment example corresponds to thatof the first embodiment example to a great extent. However, in thiscase, several sensors, e.g. the transmitter 13 for the actual positionvalue of the actuating member 8, the transmitter 1 for the steeringangle, are duplicated, one of the two transmitters being connected tomicrocomputer 5 and the other being connected to microcomputer 17. Allsensors connected to microcomputer 5 form a first group of transmitters.All of the sensors connected to microcomputer 17 form a second group oftransmitters.

The operation of microcomputer 5 is explained in the following withreference to the structure chart in FIG. 9. After the program start 80,there is an initializing phase for the control device as in the firstembodiment example. In the next program step 82, the transmitter signalsof all transmitters connected to microcomputer 5 are detected. Thedetermined measured values are sent to microcomputer 17 in program step83. Microcomputer 5 then takes over the measurements determined bymicrocomputer 17. That is, there is an exchange of measured valuesbetween the two microcomputers 5 and 17 in program step 83. At the sametime, the two microcomputers are synchronized by this exchange ofmeasured values. In the following program step 84, the determinedmeasured values are checked. Various testing criteria are interrogatedin this consistency check. More exact details on the testing criteriaare explained at greater length in the description of the structurechart for the main programs.

As a result of the consistency check, a decision is made as to whetheror not the main program can continue to run and, if not, which of thethree different emergency programs is to be run. The results of theconsistency check are exchanged between the two microcomputers 5, 17 inprogram step 85. Subsequently, an inquiry is made in interrogation 86 asto whether or not the two computers have arrived at the same testresults. If not, emergency program A is run, as was described in thefirst embodiment example. If the test results of both microcomputers 5,17 match, three interrogations 87, 88 and 89 take place. Ininterrogation 87, the test results are analyzed to determine whetheremergency program A should be run. If so, the program jumps to emergencyprogram A. In interrogation 88, the test results are analyzed todetermine whether or not it is necessary to run emergency program B. Ifso, emergency program B is run. Finally, in interrogation 89, the testresults are analyzed to determine whether it is necessary to runemergency program C. If so, emergency program C is run. If theconsistency check on the measurement values of the two microcomputersshows that there is no need to run an emergency program, the mainprogram continues. The actuating values are then calculated in programstep 90 based on the detected transmitter signals.

In program step 91, the calculated actuating values are exchangedbetween the two microcomputers 5, 17. The two microcomputers are againsynchronized in so doing. In interrogation 92, the exchanged actuatingvalues are compared. If the actuating values do not match, it is assumedthat a serious error has occurred and microcomputer 5 branches toemergency program A. If the actuating values match, the position isadjusted in program step 93. In so doing, microcomputer 5 generatescontrol signals for the actuators 7, 31 of the actuating member 8, whichcontrol signals correspond to the calculated actuating values. When theposition has been adjusted, a correctly operating control cycle has beencompleted. The next control cycle is then started with the detection ofthe transmitter signal in program step 82.

FIG. 10 shows the structure chart of the structure chart correspondingto FIG. 9 for the main program to be run in microcomputer 17. Itsubstantially corresponds to the structure chart in FIG. 9. It differsfrom the latter in that the transmitters connected to microcomputer 17,i.e. transmitter group 2, are detected in program step 94. The sameprogram steps 83 to 92 as in microcomputer 5 are then run. Program step93, in which the position is adjusted, is omitted for the main programof microcomputer 17, since microcomputer 17 is not designed for regularcontrol of the actuators 7, 31 of the actuating member 8.

The consistency check of the measured values in program step 84 of eachstructure chart in FIGS. 9 and 10 is discussed in more detail in thefollowing.

When an error occurs, a signal changes fundamentally in finite time sothat a value which is characterized at first, apart from its deviation,e.g., from a redundant transmitter signal, only by a gradient which istoo large can also be measured before the permissible signal range isexceeded. As a rule, (e.g. in the event of a break in a wire or a shortcircuit) this is followed by an exceeding of the permissible signalrange (out of range). Accordingly, the error pattern of a sensorconsists of

a final state of the erroneous signal sufficiently long after theoccurrence of the error and

the sequence of identical or different instances of loss of plausibilitydirectly after the occurrence of an error.

Various criteria are examined during the consistency check to determinethe existence of an error. The first criterion is whether or not thedetermined measurement lies within the permissible range of measurementsfor the transmitter in question. The second criterion is whether or nota transmitter signal changes at a speed which is impossible (notpermissible) in practice. For this purpose, the current measured valueof the transmitter must be compared with the previously determinedmeasured value. Thus, an excessive change in a transmitter signal isalready an early indication of the existence of an error, even if thepermissible measurement range for the transmitter signal has not yetbeen exceeded.

A further criterion for the presence of an error is an excessivediscrepancy between the measured values of two identical sensors, one ofwhich is redundant. This criterion also already indicates the presenceof an error, even if the transmitter signals still lie within thepermissible measurement range.

In many cases, exact information concerning the error may be obtainedalready by including not only the current measured values but also thepreceding measured values in the error analysis. For example, it can beconcluded from the following time sequence

discrepancy between two values of identical transmitters plus anexcessively large gradient of the transmitter values

discrepancy between two values of identical transmitters plus a valuelying outside the permissible measurement range

and a discrepancy between two values of identical transmitters plus atransmitter value outside the permissible measurement range

that the signal with the excessively large gradient or the impermissiblesignal value is erroneous, but that the other signal is correct and canaccordingly continue to be used (at least temporarily). Based on theerror information, the appropriate emergency measure is selected andinitiated. The information of the transmitter detected as defective isthen no longer used for controlling the actuating member.

To prevent the triggering of an emergency program for very briefdisturbances (e.g. EMC), a plurality of successive signal values areevaluated. Therefore, the time sequence of the losses in plausibility(not necessarily identical) are used to decide which emergency programsto run.

The selected duration or number of immediately consecutive losses inplausibility before an emergency measure is triggered must be largeenough to bridge brief disturbances. On the other hand, particularly invery dynamic systems, emergency measures must be instituted as quicklyas possible, i.e. the error reaction time must be minimized. For thispurpose, different instances of lost plausibility are evaluated by thepresent invention as identical errors when they are attributable to anidentical cause.

Some hypothetical signal curves of two identical transmitters for theactual position value of the actuating member 8 are used as examples inthe following. The information concerning the actual position value isduplicated once in the steering system. The transmitter values aredetected cyclically in each microcomputer 5, 17 (e.g. everymillisecond).

FIG. 11 shows the first two signal curves x₁, x₂ for the twotransmitters. The permissible measurement range for the actual positiontransmitter lies between 0.5 and 4.5 volts. The maximum permissibledeviation between the two measurements is set at 0.2 volts. The maximumpermissible rate of change of an actual position value is 15 v/s. Beforerunning an emergency program, three consecutive errors must be detected.An error occurs at time t_(F). The following error pattern is given formicrocomputers 5, 17 in the case of the following detected signals attimes t₁, t₂, t₃ (see table 1).

    ______________________________________                                        t.sub.1      t.sub.2       t.sub.3                                            ______________________________________                                        x.sub.1                                                                             no error   no error      no error                                       x.sub.2                                                                             gradient too                                                                             measurement range                                                                           measurement range                                    large      exceeded      exceeded                                       (x.sub.1 -x.sub.2)                                                                  deviation too                                                                            deviation too deviation too                                        large      large         large                                          ______________________________________                                    

Based on this error pattern, microcomputers 5, 17 determine thattransmitter x₂ is defective, but transmitter x₁ can continue to be used.

In FIG. 12, an error again occurs at time t_(F). The following errorpattern emerges for the microcomputers from the detected signals attimes t₁, t₂, t₃ (see table 2):

    ______________________________________                                        t.sub.1       t.sub.2     t.sub.3                                             ______________________________________                                        x.sub.1                                                                             no error    no error    no error                                        x.sub.2                                                                             no error    no error    measurement range                                                             exceeded                                        (x.sub.1 -x.sub.2)                                                                  deviation too                                                                             deviation too                                                                             deviation too                                         large       large       large                                           ______________________________________                                    

Based on this error pattern, the two microcomputers 5, 17 determine thattransmitter x₂ is defective but that transmitter x₁ can continue to beused.

In the signal curves according to FIG. 13, the following error patternresults for the two microcomputers 5, 17 after signal detection (seetable 3):

    ______________________________________                                        t.sub.1         t.sub.2      t.sub.3                                          ______________________________________                                        x.sub.1 no error    no error     no error                                     x.sub.2 no error    no error     no error                                     (x.sub.1 -x.sub.2)                                                                    deviation too                                                                             deviation too                                                                              deviation too                                        large       large        large                                        ______________________________________                                    

Based on this error pattern, the two microcomputers cannot identify theerror. They therefore initiate emergency program A to achieve a safestate.

A fourth example for the signal curves of the actual positiontransmitter is shown in FIG. 14. Based on these signal curves, thefollowing error pattern results for the two microcomputers 5, 17 (seetable 4):

    ______________________________________                                        t.sub.1         t.sub.2      t.sub.3                                          ______________________________________                                        x.sub.1 no error    no error     no error                                     x.sub.2 gradient too                                                                              no error     no error                                             large                                                                 (x.sub.1 -x.sub.2)                                                                    deviation too                                                                             deviation too                                                                              deviation too                                        large       large        large                                        ______________________________________                                    

Based on this error pattern, signal x₂ is detected as defective andsignal x₁ can be used further.

This error analysis is also suitable in principle for sensors having nodirect redundance. The detected transmitter signals of transmitterscarrying equivalent information can be monitored for permissiblegradients or values exceeding the range. Thus, a decision may also bemade in this case about which signal path may definitely be classifiedas defective. To decide which emergency program to run after threeerrors have been detected, microcomputers 5, 17 also evaluate theimportance of the sensor detected as defective during the consistencycheck. The following sensors are used for controlling rear wheelsteering:

two actual position transmitters which detect the position of theactuating member,

two steering angle transmitters which detect the rotational angle of thesteering wheel,

a transmitter for the vehicle speed (for example, this includestransmitters which detect the rotation of a speedometer shall, but wheelrevolution sensors such as those used in anti-lock braking systems canalso be used for the same purpose; the speedometer shaft transmitterthen serves as a redundant transmitter either for the wheel speed of onewheel or for the mean value of the two wheel revolution speeds of thetwo wheel speed sensors),

transmitters for the loading status of the vehicle,

transmitters for information about whether or not reverse gear isengaged,

transmitters for the yaw speed of the vehicle,

transmitters for the transverse acceleration of the vehicle,

transmitters for the crosswind effect on the vehicle,

transmitters for the inclination of the vehicle body.

Knowledge of the actuator position is always required for regulating themovement of the actuator. Thus, when a defect occurs in this sensor, acontrolled actuator movement is no longer possible and only substitutefunction A can be used. The steering angle transmitter takes intoaccount the dynamic steering state of the vehicle. If it is notdefinitely known which individual signal is still working correctly, itis not possible to steer the rear wheels synchronously with the frontaxle. ttowever, if the actual position transmitter does not fail at thesame time, substitute function B may be carried out. Dynamic changes inthe driving speed, loading state and forward/reverse drive occur onlygradually. Values measured and stored immediately before the occurrenceof an error remain valid for a relatively long time and do not impedesynchronous steering of the rear axle. For example, the loading state ofthe vehicle and shifting between forward and reverse gears change onlywhen the vehicle is stationary. The driving speed changes at a maximumacceleration of 1 g and the safety of the vehicle is not jeopardizedwhen a vehicle speed is incorrectly assumed to be too great.Accordingly, substitute function C is also possible when none of thesignals is definitely detected as still usable.

In conclusion, the following table 5 shows which emergency programs arerun by the respective microcomputer when an individual signal of thespecific transmitter is considered still usable/not usable.

    ______________________________________                                                   individual signal                                                                         individual signal                                                 usable      not usable                                             ______________________________________                                        actual position value                                                                      C             A                                                  steering angle                                                                             C             B                                                  driving speed                                                                              C             C                                                  loading state                                                                              C             C                                                  reverse gear C             C                                                  ______________________________________                                    

The described process for error recovery in electronic control devicescan be modified in many ways. Thus, it is not absolutely necessary toprovide two or more microcomputers for the control device. With reducedsafety requirements it is also possible to provide just onemicrocomputer.

We claim:
 1. Process for error recovery in electronic control devicesfor controlling parts of an apparatus, said electronic control devicesincluding at least one microcomputer, transmitter means for generatingtransmitter signals containing information regarding said parts of saidapparatus, said transmitter means comprising a plurality of transmittersincluding duplicate transmitters and said transmitter means beingconnected to said at least one microcomputer to transmit saidtransmitter signals to said at least one microcomputer, at least oneactuating member, at least one actuator connected to said at least oneactuating member and connected to said microcomputer so that said atleast one actuating member is controllable by said at least onemicrocomputer via said at least one actuator, at least one safety deviceconnected to said at least one actuator and said at least onemicrocomputer, wherein said at least one microcomputer includes at leastone main program means for controlling said at least one actuatingmember, at least two emergency program means for controlling said atleast one actuating member and means for deciding which of said programmeans is to control said at least one actuating member, said processincluding the steps of:a) detecting said transmitter signals from saidtransmitters in said at least one main program means in said at leastone microcomputer; b) calculating values from said transmitter signalsdetected in step a); c) checking at least one of said values calculatedin step b) and said transmitter signals detected in step a) forconsistency; d) adjusting said at least one actuating member bygenerating control signals for control of said at least one actuatingmember at least partly using said values calculated from saidtransmitter signals and feeding said control signals to said at leastone actuator which controls said at least one actuating member at leastpartially using said control signals; e) deciding which of said programmeans is to be run based on said checking in step c); f) activating saidat least one safety device with a first one of said at least twoemergency program means to interrupt control of said at least oneactuator by said main program means when said first emergency programmeans is selected in said deciding step e); g) continuing to detect saidtransmitter signals in a second one of said at least two emergencyprogram means and calculating other values from said transmitter signalsdetected in said second emergency program means when activated; h)Checking said other values calculated in step g) for consistency; i)multiplying said other values calculated in step g) by a factor whichdecreases as time proceeds during operation of said second emergencyprogram means so as to achieve a gradual damping of said at least oneactuating member; and j) generating other control signals for at leastpartially controlling said at least one actuating member from said othervalues multiplied by said factor in step i) and supplying said othercontrol signals to said at least one actuator, so that said other valuescalculated in step g) at least in part act to adjust said at least oneactuating member via said at least one actuator.
 2. Process as definedin claim 1, wherein said checking of said values calculated from saidtransmitter signals comprises comparing said transmitter signals withpredetermined values to determine if said transmitter signals are withina permissible signal range or not.
 3. Process as defined in claim 1,wherein said checking of said values calculated from said transmittersignals comprises comparing a rate of change of said values withpredetermined rate parameters.
 4. Process as defined in claim 1, whereinsaid checking of said transmitter signals for consistency includescomparing said transmitter signals of said duplicate transmitters withsaid transmitter signals not from said duplicate transmitters. 5.Process as defined in claim 1, wherein said checking of said transmittersignals for consistency includes comparing said transmitter signals withsaid values containing equivalent information.
 6. Process as defined inclaim 1, wherein during said checking for consistency errors aredetected, and further comprising counting said errors to determine thenumber of said errors and operating one of said emergency program meansonly if the number of said errors exceeds a predetermined number. 7.Process as defined in claim 1, further comprising activating said atleast one safety device during operation of said second emergencyprogram means and interrupting control of said at least one actuator foradjusting said at least one actuating member.
 8. Process as defined inclaim 1, wherein said at least one microcomputer includes a thirdemergency program means for calculating additional values for adjustingsaid at least one actuating member, and further comprising calculatingsaid additional values with said third emergency program means withoutinformation from said transmitter signals.
 9. Process as defined inclaim 8, wherein said third emergency program means determines alocation of said at least one actuating member, and further comprisingdetecting a center position of said at least one actuating member withsaid third emergency program means and operating said third emergencyprogram means to control said at least one actuating member when saidcenter position is detected.
 10. Process as defined in claim 1, whereinsaid parts are rear wheels of a motor vehicle.
 11. Apparatus forcontrolling steering of motor vehicle rear wheels comprising:at leastone actuating member for adjusting a steering angle of rear wheels of amotor vehicle; a retaining brake connected with said at least oneactuating member as a safety device for said at least one actuatingmember; at least one actuator connected to said at least one actuatingmember and including means for controlling said at least one actuatingmember; at least one transmitter means for generating at least onetransmitter signal for a steering angle, a driving speed and wheelspeeds of one of said rear wheels and other wheels of said motorvehicle; at least one other transmitter means for generating at leastone other transmitter signal for at least one actual position of said atleast one actuating member of said motor vehicle; at least twomicrocomputers, each of said at least two microcomputers containing atleast one main program means for controlling said at least one actuatingmember, at least two emergency program means for controlling said atleast one actuating member and means for deciding which of said programmeans is to be operated; and wherein said at least one main programmeans includes means for detecting said at least one transmitter signalsfrom said at least one transmitter means and said at least one othertransmitter signals from said at least one other transmitter means,means for calculating values from said at least one transmitter signaland said at least one other transmiter signal detected by said means fordetecting, means for checking at least one of said values and said atleast one transmitter signals for consistency, means for adjusting saidat least one actuating member by generating control signals and meansfor feeding said control signals to said at least one actuator forcontrol of said at least one actuating member based at least partiallyon said checking, and wherein a first one of said at least two emergencyprogram means in said at least one microcomputer includes at least onesafety means for interrupting control of said at least one actuator foradjusting said at least one actuating member and a second one of said atleast two emergency program means includes means for detecting saidtransmitter signals, means for calculating other values from saidtransmitter signals, means for adjusting said at least one actuatingmember based at least partially on said other values of said transmittersignals, means for checking at least one of said transmitter signals andsaid other values for consistency, means for multiplying said othervalues by a factor decreasing with increasing time from a start ofoperation of said second emergency program means for gradual damping ofan actuating amplitude of said at least one actuating member, andwherein at least one of said at least two microcomputers continues togenerate control signals according to said other values multiplied bysaid factor and feed them to said at least one actuator for control ofsaid at least one actuating member.
 12. Apparatus as defined in claim11, wherein said at least one transmitter means for said steering angleincludes duplicate transmitters for said steering angle, and said atleast one other transmitting means for an actual position includesduplicate transmitters for said actual position, and each of saidduplicate transmitters for said actual position is connected to adifferent one of said at least two microcomputers and each of saidduplicate transmitters for said steering angle is connected to adifferent one of said at least two microcomputers.
 13. Apparatus asdefined in claim 12, wherein said at least two microcomputers containmeans for activating said first emergency program means when said meansfor checking in said at least two microcomputers detect that none ofsaid duplicate transmitters for said actual position value of said atleast one actuating member is operating correctly.
 14. Apparatus asdefined in claim 12, wherein said at least two microcomputers containmeans for activating said first emergency program means when said meansfor checking in said at least two microcomputers detect that saidduplicate transmitters for said actual position value of said at leastone actuating member produce output signals deviating from each otherbeyond a predetermined extent.
 15. Apparatus as defined in claim 12,wherein said at least two microcomputers include a third emergencyprogram means when at least one of said means for checking in said atleast two microcomputers detects that none of said duplicatetransmitters for said steering angle are operating correctly. 16.Apparatus as defined in claim 11, further comprising a power supply forsaid at least one actuator, and wherein said safety means forinterrupting control of said at least one actuator includes means forinterrupting a power supplied by said power supply to said at least oneactuator.
 17. Apparatus as defined in claim 16, wherein said means forinterrupting power includes at least one relay connected between saidpower supply and said at least one actuators, said at least one relaybeing connected to at least one of said microcomputers having means forcontrol of said relay to open or close said relay.
 18. Apparatus asdefined in claim 11, further comprising an error indicator connected tosaid at least two emergency program means, and wherein each of said atleast two emergency program means include means for activating saiderror indicator when activated.
 19. Apparatus as defined in claim 10,wherein said at least two of said at least two microcomputers includesdifferent program means for checking at least one of said transmittersignals and said values.
 20. Apparatus as defined in claim 19, whereineach of said at least two microcomputers has a different semiconductorstructure.
 21. Apparatus as defined in claim 11, wherein each of said atleast two microcomputers contains monitoring circuit means formonitoring other ones of said at least two microcomputers to receivemonitoring signals therefrom and means for interrupting control of saidat least one actuator adjusting said at least one actuating member in anabsence of said monitoring signals from any one of said others of saidat least two microcomputers.
 22. Apparatus as defined in claim 11,further comprising a dual-port RAM connected to said at least twomicrocomputers.